Question

Django security settings for App Platform

I am running a Django 4.2 application on App Platform. When running the management command to check --deploy I get the following results:

(security.W004) You have not set a value for the SECURE_HSTS_SECONDS setting. If your entire site is served only over SSL, you may want to consider setting a value and enabling HTTP Strict Transport Security. Be sure to read the documentation first; enabling HSTS carelessly can cause serious, irreversible problems. (security.W008) Your SECURE_SSL_REDIRECT setting is not set to True. Unless your site should be available over both SSL and non-SSL connections, you may want to either set this setting True or configure a load balancer or reverse-proxy server to redirect all connections to HTTPS.

Looking at the Django documentation for those settings, however, I see warnings that they may not work if the site is behind a proxy. Using App Platform, I believe that is actually the case. So I would like to understand if, and how, those settings, or related settings, can be used for Django on App Platform.

As a side note, I have read the tutorial How To Harden the Security of Your Production Django Project. But that assumes that I can configure the server myself.

So I would greatly appreciate any recommendations or insights that would work for App Platform specifically.

Thanks in advance.


Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

KFSys
Site Moderator
Site Moderator badge
March 9, 2024

Heya,

Your situation is quite common when deploying Django applications on platforms like App Platform, where you don’t have direct control over the server configuration. Here’s how you can handle the warnings security.W004 and security.W008 in this context:

  1. SECURE_HSTS_SECONDS: This setting enforces HTTP Strict Transport Security (HSTS), which tells browsers to access your site via HTTPS only for a given amount of time. When your Django app is behind a proxy (like in App Platform), the proxy usually handles HTTPS connections, and your Django app might only see HTTP traffic (which is already secure within the internal network).

    If you enable SECURE_HSTS_SECONDS, make sure that HTTPS is already enabled and working on your App Platform setup. You must be certain that you don’t plan to serve over HTTP again; otherwise, users might not be able to access your site if they can only reach it via HTTP.

  2. SECURE_SSL_REDIRECT: This setting redirects all HTTP traffic to HTTPS. Like HSTS, if your app is behind a proxy that already redirects HTTP to HTTPS, enabling this in Django could be redundant or might cause issues.

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.